Share this story

Mobile dating apps have revolutionized the pursuit of love and sex by allowing people not only to find like-minded mates but to identify those who are literally right next door, or even in the same bar, at any given time. That convenience is a double-edge sword, warn researchers. To prove their point, they exploited weaknesses in Grindr, a dating app with more than five million monthly users, to identify users and construct detailed histories of their movements.

The proof-of-concept attack worked because of weaknesses identified five months ago by an anonymous post on Pastebin. Even after researchers from security firm Synack independently confirmed the privacy threat, Grindr officials have allowed it to remain for users in all but a handful of countries where being gay is illegal. As a result, geographic locations of Grindr users in the US and most other places can be tracked down to the very park bench where they happen to be having lunch or bar where they're drinking and monitored almost continuously, according to research scheduled to be presented Saturday at the Shmoocon security conference in Washington, DC.

Grindr officials declined to comment for this post beyond what they said in posts here and here published more than four months ago. As noted, Grindr developers modified the app to disable location tracking in Russia, Egypt, Saudi Arabia, Nigeria, Liberia, Sudan, Zimbabwe, and any other place with anti-gay laws. Grindr also locked down the app so that location information is available only to people who have set up an account. The changes did nothing to prevent the Synack researchers from setting up a free account and tracking the detailed movements of several fellow users who volunteered to participate in the experiment.

Pinpointing users’ precise locations

The proof-of-concept attack works by abusing a location-sharing function that Grindr officials say is a core offering of the app. The feature allows a user to know when other users are close by. The programming interface that makes the information available can be hacked by sending Grinder rapid queries that falsely supply different locations of the requesting user. By using three separate fictitious locations, an attacker can map the other users' precise location using the mathematical process known as trilateration.

Synack researcher Colby Moore said his firm alerted Grindr developers of the threat last March. Aside from turning off location sharing in countries that host anti-gay laws and making location data available only to authenticated Grindr users, the weakness remains a threat to any user that leaves location sharing on. Grindr introduced those limited changes following a report that Egyptian police used Grindr to track down and prosecute gay people. Moore said there are several things Grindr developers could do to better fix the weakness.

"The biggest thing is don't allow vast distance changes repeatedly," he told Ars. "If I say I'm five miles here, five miles there within a matter of 10 seconds, you know something is false. There are a lot of things you can do that are easy on the backside." He said Grinder could also do things to make the location data slightly less granular. "You just introduce some rounding error into a lot of these things. A user will report their coordinates, and on the backend side Grindr can introduce a slight falsehood into the reading."

The exploit allowed Moore to compile a detailed dossier on volunteer users by tracking where they went to work in the morning, the gyms where they exercised, where they slept at night, and other places they frequented. Using this data and cross referencing it with public records and data contained in Grindr profiles and other social networking sites, it would be possible to uncover the identities of these people.

"Using the framework we developed, we were able to correlate identities very easily," Moore said. "Most users on the application share lots and lots of additional personal details such as race, height, weight, and a photo. Many users also linked to social media accounts within their profiles. The concrete example would be that we were able to replicate this attack multiple times on willing participants without fail."

Moore was also able to abuse the feature to compile one-time snapshots of 15,000 or so users located in the San Francisco Bay area, and, before location sharing was disabled in Russia, Gridr users visiting the Sochi Olympics.